diff options
author | Piotr Nowicki <56911018+piotr-now@users.noreply.github.com> | 2020-06-01 08:09:26 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-06-01 08:09:26 +0200 |
commit | e071e42480e2e75f68a02e59457b1396393f1dbc (patch) | |
tree | c83358f5c83090158494331354bb69cf04165796 | |
parent | fc7c69df25f98961254cc36e2b297632b92f3d5e (diff) | |
parent | f0ab6d62ac64e193d44a6e0276c75797add3f04b (diff) | |
download | mbed-tls-e071e42480e2e75f68a02e59457b1396393f1dbc.tar.gz |
Merge pull request #3336 from piotr-now/baremetal_flowmon
Increasing resistance to fault injection attacks related with memory operations.
-rw-r--r-- | library/platform_util.c | 12 | ||||
-rw-r--r-- | tinycrypt/ecc.c | 22 |
2 files changed, 26 insertions, 8 deletions
diff --git a/library/platform_util.c b/library/platform_util.c index 2c22b3c64..3869f30a5 100644 --- a/library/platform_util.c +++ b/library/platform_util.c @@ -111,6 +111,9 @@ void *mbedtls_platform_memcpy( void *dst, const void *src, size_t num ) /* Randomize initial data to prevent leakage while copying */ uint32_t data = mbedtls_platform_random_in_range( 256 ); + /* Use memset with random value at first to increase security - memset is + not normally part of the memcpy function and here can be useed + with regular, unsecured implementation */ memset( (void *) dst, data, num ); memcpy( (void *) ( (unsigned char *) dst + start_offset ), (void *) ( (unsigned char *) src + start_offset ), @@ -124,23 +127,26 @@ int mbedtls_platform_memcmp( const void *buf1, const void *buf2, size_t num ) volatile const unsigned char *B = (volatile const unsigned char *) buf2; volatile unsigned char diff = 0; - size_t i = num; - + /* Start from a random location and check the correct number of iterations */ + size_t i, flow_counter = 0; size_t start_offset = (size_t) mbedtls_platform_random_in_range( num ); for( i = start_offset; i < num; i++ ) { unsigned char x = A[i], y = B[i]; + flow_counter++; diff |= x ^ y; } for( i = 0; i < start_offset; i++ ) { unsigned char x = A[i], y = B[i]; + flow_counter++; diff |= x ^ y; } - return( diff ); + /* Return 0 only when diff is 0 and flow_counter is equal to num */ + return( (int) diff | (int) ( flow_counter ^ num ) ); } uint32_t mbedtls_platform_random_in_range( size_t num ) diff --git a/tinycrypt/ecc.c b/tinycrypt/ecc.c index c6c722a95..ba3626719 100644 --- a/tinycrypt/ecc.c +++ b/tinycrypt/ecc.c @@ -286,20 +286,32 @@ uECC_word_t uECC_vli_equal(const uECC_word_t *left, const uECC_word_t *right) { uECC_word_t diff = 0; + uECC_word_t flow_monitor = 0; uECC_word_t tmp1, tmp2; volatile int i; - for (i = NUM_ECC_WORDS - 1; i >= 0; --i) { + /* Start from a random location and check the correct number of iterations */ + int start_offset = mbedtls_platform_random_in_range(NUM_ECC_WORDS); + + for (i = start_offset; i < NUM_ECC_WORDS; ++i) { + tmp1 = left[i]; + tmp2 = right[i]; + flow_monitor++; + diff |= (tmp1 ^ tmp2); + } + + for (i = 0; i < start_offset; ++i) { tmp1 = left[i]; tmp2 = right[i]; + flow_monitor++; diff |= (tmp1 ^ tmp2); } - /* i should be -1 now */ + /* Random delay to increase security */ mbedtls_platform_random_delay(); - diff |= i ^ -1; - return diff; + /* Return 0 only when diff is 0 and flow_counter is equal to NUM_ECC_WORDS */ + return (diff | (flow_monitor ^ NUM_ECC_WORDS)); } uECC_word_t cond_set(uECC_word_t p_true, uECC_word_t p_false, unsigned int cond) @@ -848,7 +860,7 @@ void vli_mmod_fast_secp256r1(unsigned int *result, unsigned int*product) } while (carry < 0); } else { - while (carry || + while (carry || uECC_vli_cmp_unsafe(curve_p, result) != 1) { carry -= uECC_vli_sub(result, result, curve_p); } |